Threat Actors Repurposing a Security Tool for Harmful Intentions
Cisco Talos researchers have discovered that cybercriminals are likely misusing a tool originally designed for red team security drills to spread malware.
You might be interested in: AMD Hacked Again: Sensitive Data Exposed
The tool in question is MacroPack, which is designed to create different types of files, including Office documents, Visual Basic scripts, and Windows shortcuts, for penetration testing and social engineering. Developed by Emeric Nasi, a French creator, MacroPack is meant for cybersecurity purposes but has been twisted for malicious use.
Malware Found in Files From Various Countries
The cybersecurity team identified several files on VirusTotal, uploaded from countries such as China, Pakistan, Russia, and the U.S., that were created using MacroPack. These files were used to deploy various malware payloads, including Havoc, Brute Ratel, and a new version of PhantomCoreโa remote access trojan (RAT) associated with the hacktivist group Head Mare.
According to Talos researcher Vanja Svajcer, all the suspicious documents included four harmless VBA subroutines that didnโt trigger any malicious activity. These subroutines were visible across all the samples and had never been used for anything harmful.
Diverse Tactics and Themes
One notable finding is that the themes of these malicious documents vary greatly. Some documents contain generic instructions asking users to enable macros, while others mimic official-looking military communications. This variety suggests that different groups of attackers are behind the campaigns.
Additionally, some documents use advanced MacroPack features to avoid detection by anti-malware software. For example, attackers use Markov chains to disguise malicious code by generating seemingly legitimate function and variable names.
A Three-Step Attack Process
Between May and July 2024, a common attack pattern emerged. The attack starts with a tampered Office document containing MacroPack VBA code, which then decodes a second-stage payload to fetch and execute the final malware.
This evolution highlights how cybercriminals constantly adapt their tactics to bypass security measures and improve their chances of success.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.